Architecture for Access Management

ABSTRACT

Described are techniques for security access and control. The techniques use a system that includes a card reader system including a processor and memory. The card reader system is configured to execute a security application that configures the card reader system to receive an embedded electronic credential from an access badge, with the embedded electronic credential carried by the access badge and being associated with a user, determine whether the credential indicates an authorized access, generate a message according to a result of the determination, and send the message to a distributed ledger that logs the result in the distributed ledger.

CLAIM OF PRIORITY

This application claims priority under 35 U.S.C. §119(e) to provisionalU.S. Patent Application 62/385,387, filed on Sep. 9, 2016, entitled:“Architecture for Access Management,” the entire contents of which arehereby incorporated by reference.

BACKGROUND

This description relates to operation of networks for dissemination ofinformation.

Access control systems commonly employ access cards that includecorresponding embedded electronic credentials that are read by acorresponding card reader. For a given access card, a read credential istypically compared to an access control list that is stored in an accesscontrol system. If the credential matches to an approved entry in theaccess control list, a cardholder in possession of the access card isallowed certain privileges such as, for example, access to a lockeddoor. Such systems are widely deployed in commercial businesses.

It is common for computer systems to gather information, such asproprietary data on individuals other entities such as businesses etc.,as well on operational data from other systems. One type of informationis proprietary data such as “personally identifiable information”commonly referred to as “PII.” PII is information of a sensitive,personal nature that is generally associated with individuals and isoften protected by privacy laws in many jurisdictions. PII isinformation that can identify or contact or locate a single person or toidentify an individual in context. Examples of PII include name, socialsecurity number, date and place of birth, mother's maiden name,biometric records and information that is linkable to an individual,such as medical, educational, financial, and employment information, aswell as a user's device IP address used in a communication servicebroker.

Another type of information is proprietary data such as MachineIdentifiable Information or “MII,” such as in the context of the“Internet of Things.” That is, other information that is collectedincludes operational information such as information used to controlaccess control systems, intrusion detection systems and integratedsecurity/alarm systems. For different reasons each of these types ofinformation may have a sensitive nature that should limit the ubiquitousretention of such information in disparate systems.

Considering PII, modern information technology and the Internet havemade it easier to collect PII and MII through various mechanisms leadingto various problems such as aiding of criminal acts, identity theft,etc. For example, there have been numerous reports of security breachesof commercial, governmental and private systems having databases storingthe PII information of many thousands or millions of individuals.

SUMMARY

According to an aspect, a system a card reader system including aprocessor and memory, the card reader system configured to execute asecurity application that configures the card reader system to receivean embedded electronic credential from an access badge, with theembedded electronic credential carried by the access badge and beingassociated with a user, determine whether the credential indicates anauthorized access, generate a message according to a result of thedetermination, and send the message to a distributed ledger that logsthe result in the distributed ledger.

Aspects also include systems and methods. Additional features of thecomputer program product, systems and methods include other featuresdisclosed herein.

One or more of the above aspects may provide one or more of thefollowing advantages.

The new architecture employs distributed ledger technologies that allowan access reader to validate information (a token) presented via theidentity “card”, which token is relevant to the identity of the cardholder. Because the information is stored in a distributed ledger format(i.e., copies of the information to be validated are stored in numerouslocations), the access system has a higher level of security since itwould be extremely difficult to hack every instance of that information.Moreover, if a hack of the system was attempted, and the attempt to hackwas unsuccessful with respect to even one instance of the validationinformation, the validation would fail and the person's identity wouldnot be validated, thus maintaining secure access control.

The details of one or more embodiments of the invention are set forth inthe accompanying drawings and the description below. Other features,objects, and advantages of the invention is apparent from thedescription and drawings, and from the claims.

DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram of an exemplary system for securing PIIinformation.

FIG. 2 is a block diagram of a distributed ledger.

FIG. 3 is a block diagram of a broker system.

FIG. 4 is a block diagram of a facility with access control.

FIG. 4A is a blown up view of a portion of FIG. 4.

FIG. 5 is a block diagram of an example of an access control system.

FIG. 6 is a block diagram of an access system using an access card.

FIG. 7 is a flow diagram of an access process for the system of FIG. 6.

FIG. 8 is a block diagram of an exemplary device/system.

DETAILED DESCRIPTION

Described herein is a set of techniques that provide a solution using adistributed ledger optionally with a private service broker fordissemination between two or more electronic devices of information suchas credential (as well as other confidential information such as PII),which dissemination occurs in a controlled, secure and confidentialmanner. The system described uses a combination of an access badge withan embedded credential, which access badge is carried by a user, anaccess card reader associated with a security system that has a securitysystem wallet, a distributed ledger that manages proxies for PII (aswell as other confidential information), along with a service brokersystem that securely manages data transmissions and verifications of thedata without actually having the security system wallet directly accessthe distributed ledger. In other implementations the service broker isnot used and the security system wallet directly accesses thedistributed ledger.

Referring now to FIG. 1, an exemplary distributed network system 10 foraccess control is shown. In the system 10, several approaches arefeasible as disclosed in the incorporated by reference provisionalapplication. One such approach discussed in detail in below uses accessbadges 12 a, 12 b, each with embedded credentials 13 a, 13 b inconjunction with a distributed ledger 14 back-end that replaces thetypical centralized database (not shown). The access badges 12 a, 12 bare used with access card readers 15, in which a user will swipe orotherwise allow the card readers to read the credential on the user'sbadge. In some implementations, the access card reader 15 makesdeterminations regarding access. The access badge/distributed ledgerapproach provides enhanced user experience, security, compliance and soforth, as discussed below. The access badge is a physical securitybadge. Various form factors can be used as an access badge.

In the discussion below, the badges 12 a, 12 b hold users' credentials13 a, 13 b that are needed for access to a facility using system 10.Also, in the discussion below, the focus will be on badge 12 a andcredential 13 a.

The system 10 also includes a distributed ledger system 14. Thedistributed ledger system 14 is a sequential transaction database. Anexample of a sequential transaction database is the so-called“Blockchain” that operates with cryptocurrencies, such as “bitcoin”®(bitcoin project.org). The distributed ledger 14 rather than beingdedicated to managing cryptocurrencies, manages PII transactionalrecords and serves as the backend for a distributed access system. Thedistributed ledger system 14 interacts with a security system, e.g., athird party system 18 to allow access to users to otherwise lockedfacilities. While sharing some similarities to the Blockchain as well asother known types of sequential transaction databases, the distributedledger 14 has some significant differences.

The distributed ledger 14 can have a structure as set out in FIG. 2. Aservice broker system 16 is included in some implementations of thedistributed ledger 14. In some implementations, the service broker 16interfaces between the card reader 15 and the distributed ledger 14. Inother implementations, the service broker system 16 is not needed andthe card reader 15 will interface directly with the distributed ledger15.

The system 10 also includes a third party system 18. The third partysystem 18 can be any electronic system (or device) and is thesystem/device that seeks some aspect of the PII or other confidentialinformation of a user that can be obtained from the security badge 12 a,associated with the user. In the examples discussed below the thirdparty systems are or are aspects of access systems, both physical accessas well as logical access. By physical access is meant access tophysical locations, e.g., facilities, whereas logical access relates toaccess to logical structures such as electronic devices orapplications/data accessible via electronic devices. The examplesdiscussed below are in relation to physical access control systems. Inthe processes discussed below, some or all of the aforementioned badge12 a, distributed ledger 14, optionally service broker 16 and thirdparty access system 18 are used.

Referring now to FIG. 2, the distributed ledger system 14 is shown. Asmentioned, the distributed ledger system 14 is a sequential transactiondatabase. The distributed ledger system 14 thus includes distributeddatabases 32 a-32 n that are typically existing in the “Cloud.” Thedistributed database comprise storage devices 34 a-34 n that areattached to different interconnected computers 36 a-36 n. Thedistributed databases are controlled by a distributed databasemanagement system that controls storage of data over a network 38 of theinterconnected computers and execute corresponding replication andduplication processes. Replication software (not shown) detects changesin the distributed database contents and once the changes have beendetected, replicates the changes to have all the databases the same.Duplication software (not shown) identifies one database (not shown) asa master and then duplicates that database across other databases.Replication and duplication keep the data current in all distributedstorage locations.

The distributed databases 32 a-32 n that form the distributed ledgersystem 14 each store encrypted information records. An exemplary record40 is shown below. The record 40 is stored in each of the distributeddatabases 32 a-32 n that form the distributed ledger system 14, whichstores the record 40 in an encrypted form in the distributed ledgersystem 14. Record 40 has a structure that includes an attribute type, ahashed and encrypted value of the attribute, an attester's digitalsignature of the hashed and encrypted value and the attester's address.

An exemplary record format is set out in table below, where theattribute could be something as simple as the credential 13 a.

User Hashed and Attester Attribute Encrypted Value Attester SignatureAddress Attribute encrypt(attribute) Signature of encrypt(value) Address

Referring now to FIG. 3, the broker system 16 is shown. The brokersystem 16 includes a computer system and executes software thathandshakes between the user system 12 and a vetting agent or attester.Rather, than the third party device, e.g., access readers 15 a, 15 b (ormore generally the third party system 18) accessing the distributedledger 14 directly, all requests for transactions between the thirdparty device and the requesting device occur through the broker system16. In other embodiments, the third party device, e.g., access readers15 a, 15 b (or more generally the third party system 18) directly accessthe distributed ledger system 14.

As shown in FIG. 3, the broker system 16 can be a compilation of manysuch broker systems 16 a-16 n. Each of the broker systems 16 a-16 n cancomprise computer systems and associated distributed databases. Thebroker systems 16 a-16 n are distributed over a network of servers thatact together to manage the distributed ledger 14. All attribute hashedvalues, attester information, etc. are stored in the distributed ledger14 and as the flow diagram below will show the broker systems 16 a-n areconfigured to access the distributed ledger 14 to obtain and validatesuch information.

Note that in the context of a private distributed ledger environment,for an enterprise, it may be desirable to not have a query sent to theattester database for each transaction. Rather, a business rule could beestablished that once a validation event has occurred, then it is goodfor a period of time, until the attester database is updated etc., so asto reduce latency.

Referring now to FIGS. 4, 4A, an implementation of an access controlsystem is shown. A facility 110 with access control in this illustrativeexample, as having two secured rooms 112 a and 112 b and a singleexternal entryway 112 c. Room 112 a has a doorway 113 a and hasassociated therein an access controller 116 a and an ingress card reader118 a. Room 112 b has a doorway 113 b and has associated therein anaccess controller 116 b and two card readers, an ingress card reader 118b and an egress card reader 118 b′. The external entryway 12 c hasassociated therewith an access controller 116 c and two card readers, aningress card reader 118 c and an egress card reader 118 c′. A detailedview of the external doorway is shown in FIG. 9A with exemplary doorlocks 122 a, 122 b controlled by the access controller 116 c.

Referring now to FIG. 5, access control system 111 for a typicallyfacility 110 includes a plurality of access controllers generally 116.Each of the access controllers 116 can have designated mastercontrollers (not shown). Conventional techniques to set up and associatethese controllers with a security system can be used. Duringinstallation of an access control system, the access control system isconfigured by a technician according to operational requirements of thefacility 110. The system also includes a gateway 137 that is coupled tothe access controllers, e.g., via master controllers 116 a-16 c and aLAN, router, modem, to access the Internet and a firewall, asillustrated, and a server 139 that is coupled to the gateway 137. Thisis but an illustrative example. Referring to FIG. 6, a system 150, suchas a card reader, includes a processor 152 and memory 154 and a networkinterface card 153 (NIC) in communication with network infrastructure,e.g., a router, web server, etc., to access the distributed ledger 14.The system 150, i.e., card reader 150, is used in conjunction with adevice 156 that includes an embedded electronic credential 158 (e.g., anaccess badge credential 13 a) that is associated with a user. The cardreader 150 executes a security application 160 that is configured toreceive the credential 158 from the device 156 and determine whether thecredential 158 indicates an authorized access. In FIG. 6, the cardreader 150 executing the security application 160, is further configuredto receive credential information from the distributed ledger 14 and tosend transaction records to the distributed ledger 14.

Referring now to FIG. 7, in one implementation, a user in possession ofan access badge (e.g., 12 a) that includes the embedded electroniccredential 158, e.g., credential 13 a, swipes, or otherwise has thebadge accessed by the card reader 150. The credential embedded in thebadge is read 170 by the card reader 150 in a generally conventionalmanner.

In one implementation, the processor 152 executing the securityapplication 156 residing in memory 154 accesses 172 the distributedledger 14 to obtain from the distributed ledger a record correspondingto user's credential. The card reader 150 executing the securityapplication 160 determines or verifies 174 whether the credential 158that is received from the badge indicates an authorized access (or otheraction). The card reader 150 executing the security application 160sends a request to the distributed ledger and receives credentialinformation, if any is found, from the distributed ledger 14. Foundcredential information is sent from the distributed ledger 14 to thecard reader.

Verifying 174 by the card reader 150 involves the card readerdetermining from the record received from the distributed ledger 14 someitem of information regarding the credential (e.g., whether thecredential is still valid and if so what access privileges areassociated with the credential, etc.) In other implementations, eitherthe system, the card reader, the servers (or both the card readers andservers) analyze the credential against stored access rules or againstother criteria.

In either case, the card reader 150 generates from the data receivedfrom the distributed ledger 14, a result. The reader generates a messageaccording to the result. Thus, if the result is to allow access, thereader generated message is a control message that grants 176 a access,e.g., unlocks an electronic lock on a door, etc., e.g., the door lock ofFIG. 9.

If the result is to deny access 176 b then another action can occur suchas a retry action that is communicated to the user or an action that isnot discernible to the user, but which denies access.

With either result (allowing access or denying access) the card readersends a corresponding transaction message to the distributed ledger 14that logs the result in the distributed ledger 14. Also, various otheraccess control decisions can be made based on the result.

The distributed ledger system stores, among other data, records ofpersonally identifiable information, as well as, access transactions. Inaddition, to the storage of records of PII, the distributed ledger alsoinclude the storage hashes of those records could be stored instead ofor in addition to those records. The distributed ledger record couldrecord when access was denied or only when it was successful or couldrecord all transactions whether access was denied or successful.

Referring now to FIG. 8, components of system/devices are shown. Memorystores program instructions and data used by the processor. The memorymay be a suitable combination of random access memory and read-onlymemory, and may host suitable program instructions (e.g. firmware oroperating software), and configuration and operating data and may beorganized as a file system or otherwise. The program instructions storedin the memory may further store software components allowing networkcommunications and establishment of connections to the data network. Thesoftware components may, for example, include an internet protocol (IP)stack, as well as driver components for the various interfaces. Othersoftware components suitable for establishing a connection andcommunicating across network will be apparent to those of ordinaryskill.

Servers are associated with an IP address and port(s) by which itcommunicates with user devices. The server address may be static, andthus always identify a particular one of monitoring server to theintrusion detection panels. Alternatively, dynamic addresses could beused, and associated with static domain names, resolved through a domainname service. The network interface card interfaces with the network toreceive incoming signals, and may for example take the form of anEthernet network interface card (NIC). The servers may be computers,thin-clients, or the like, to which received data representative of analarm event is passed for handling by human operators. The monitoringstation may further include, or have access to, a subscriber databasethat includes a database under control of a database engine. Thedatabase may contain entries corresponding to the various subscriberdevices/processes to panels like the panel that are serviced by themonitoring station.

All or part of the processes described herein and their variousmodifications (hereinafter referred to as “the processes”) can beimplemented, at least in part, via a computer program product, i.e., acomputer program tangibly embodied in one or more tangible, physicalhardware storage devices that are computer and/or machine-readablestorage devices for execution by, or to control the operation of, dataprocessing apparatus, e.g., a programmable processor, a computer, ormultiple computers. A computer program can be written in any form ofprogramming language, including compiled or interpreted languages, andit can be deployed in any form, including as a stand-alone program or asa module, component, subroutine, or other unit suitable for use in acomputing environment. A computer program can be deployed to be executedon one computer or on multiple computers at one site or distributedacross multiple sites and interconnected by a network.

Processors suitable for the execution of a computer program include, byway of example, both general and special purpose microprocessors, andany one or more processors of any kind of digital computer. Generally, aprocessor will receive instructions and data from a read-only storagearea or a random access storage area or both. Elements of a computer(including a server) include one or more processors for executinginstructions and one or more storage area devices for storinginstructions and data. Generally, a computer will also include, or beoperatively coupled to receive data from, or transfer data to, or both,one or more machine-readable storage media, such as mass storage devicesfor storing data, e.g., magnetic, magneto-optical disks, or opticaldisks.

Tangible, physical hardware storage devices that are suitable forembodying computer program instructions and data include all forms ofnon-volatile storage, including by way of example, semiconductor storagearea devices, e.g., EPROM, EEPROM, and flash storage area devices;magnetic disks, e.g., internal hard disks or removable disks;magneto-optical disks; and CD-ROM and DVD-ROM disks and volatilecomputer memory, e.g., RAM such as static and dynamic RAM, as well aserasable memory, e.g., flash memory.

In addition, the logic flows depicted in the figures do not require theparticular order shown, or sequential order, to achieve desirableresults. In addition, other actions may be provided, or actions may beeliminated, from the described flows, and other components may be addedto, or removed from, the described systems. Likewise, actions depictedin the figures may be performed by different entities or consolidated.

Elements of different embodiments described herein may be combined toform other embodiments not specifically set forth above. Elements may beleft out of the processes, computer programs, Web pages, etc. describedherein without adversely affecting their operation. Furthermore, variousseparate elements may be combined into one or more individual elementsto perform the functions described herein.

Other implementations not specifically described herein are also withinthe scope of the following claims.

1. A system comprises: a security access card reader system including aprocessor and memory, the security access card reader system configuredto execute a security application that produces an electronic signal tounlock an electronic lock upon authenticating an access card, and thesecurity application configures the security access card reader systemto: receive an embedded electronic credential from an access badge, withthe embedded electronic credential carried by the access badge and beingassociated with a user; determine whether the credential indicates anauthorized access; generate a message according to a result of thedetermination; and send the message to a distributed ledger that logsthe result in the distributed ledger.
 2. The system of claim 1 furthercomprising, the distributed ledger system that is a sequentialtransaction database that comprises plural distributed database systemsthat store transaction records.
 3. The system of claim 2 wherein thedistributed ledger system stores transaction records corresponding topersonally identifiable information.
 4. The system of claim 1 whereinthe card reader is configured to: send a request to the distributedledger for information regarding the credential; and generate themessage according to a determination based on data received from thedistributed ledger and the received credential.
 5. The system of claim 1wherein upon determination that access should be granted, the cardreader system is configured to generate the electronic control signal tocontrol an electronic locking device to grant access.
 6. The system ofclaim 1 wherein upon determination that access should not be granted,the card reader system is configured to: generate the message that issent to the distributed ledger, which message is generated with anindication that access was denied.
 7. The system of claim 1 furthercomprising: the access badge that includes the embedded electroniccredential that is associated with the user.
 8. A method comprises:configuring a security access card reader system including a processorand memory to execute a security application that produces an electroniccontrol signal to unlock an electronic lock upon authenticating anaccess card, with the security application configures the card readersystem to: receiving by the security access card reader system, anelectronic credential embedded in a given access badge, with theembedded electronic credential carried by the given access badge andbeing associated with a given user; determining whether the credentialindicates an authorized access; generating a message according to aresult of the determination; and sending the message to a distributedledger that logs the result in the distributed ledger.
 9. The method ofclaim 8 further comprising, sending a request to the distributed ledgerfor information regarding the credential; and generating the messageaccording to a determination based on data received from the distributedledger and the received credential.
 10. The method of claim 8 furthercomprising: generating the electronic control message that controls anelectronic locking device to grant access in response to thedetermination that access should be granted.
 11. The method of claim 8further comprising: generating the message that is sent to thedistributed ledger with an indication that access was denied in responseto the determination that access should not be granted.